Policy | Security | Investigation

hacker response

November 25, 2009

If a public organization doesn't embrace transparency, transparency will be thrust upon it forcibly. For any institution, its electronic records are so detailed and subject to revelation in so many ways that the institution must find a way to pre-empt their inopportune public disclosure. Better to come clean with information now – before the lawsuit (think deposition) or the FOIA request or the hacker break-in brings the information to light.

The climate research unit at the University of East Anglia is learning directly how disconcerting unexpected disclosure can be. Someone – whether an outside hacker spy or an inside whistleblower – has leaked volumes of e-mails, software, source code and programmer notes to the world. As a world leader on climate modeling, the university is shocked to see its internal discussions hung out for public scrutiny.

Some emails suggest the university's scientists had earlier tried to destroy records to prevent their disclosure under a freedom of information request. Other records arguably depict programmers manipulating data for key climate modeling software in a deceptive manner. Some emails appear to show researchers misallocating expenses against a US government research grant.

Some observers speculate all these records had been assembled for a freedom of information request, and after the request was denied, an internal whistleblower elected to liberate them. Once information leaves the confines of the institution, it's easy to broadcast through channels like Wikileaks.com.

Separately, another institution on which technology has violently imposed transparency is international banking. An IT staffer at LGT Group stole secret bank customer records and sold them to the German tax authorities, who used them to prosecute tax evaders. “Liechtenstein Under Siege Clings to Bank Secrecy to Outdo Swiss,” Bloomberg.com 2/27/08.

Then a US Senate investigative committee data-mined Homeland Security records of foreign visitors to uncover a pattern of Swiss bankers coming to the US illegally to solicit deposits from rich American taxpayers. These unsavory revelations -- made possible by new technology -- has devastated the long-standing industry of secret bank accounts in places like Switzerland. The US has largely closed down that industry as an avenue for tax evasion and other crime. Kevin McCoy, “IRS: Offshore tax crackdown should produce 'billions',” USA Today, Nov. 17, 2009.

So in this technological age of leaks and sousveillance, what are institutions to do? Here are three mild examples of proactive transparency:

* New York City allows web-empowered citizens to track their government's performance on details like response times on calls to the fire department or the street maintenance crews.

* The City lets the same citizens monitor how the city is spending federal stimulus dollars.

* 15 local governments in South Carolina now post their full check registers online so citizens can scrutinize how the governments spend cash and which vendors get how much money.

Update November 29, 2009: After thinking about it, the University of East Anglia has decided that radical transparency is the only logical policy. In the wake of the hacker break-in described above, the University has announced it will reveal "all" of its climate data as soon as possible.

September 12, 2008

Must a data holder pay money if it is the victim of a data compromise? To that question the Connecticut Attorney General has a novel answer.

Background on Legal Liability

Few judicial decisions hold data holders liable for damages suffered by data subjects after a security breach. The best example of such a decision is Bell v. Michigan Council 25 AFSCME [Michigan Ct. of Appeals, unpublished op. 2/15/05]. It held a small labor union accountable to members who became victims of identity theft after a thief stole their Social Security Numbers (SSN) and other data from the union. The damages amounted to approximately a quarter million dollars.

That result required the union members to go to court and prove negligence.

Sometimes state legislatures enact a law that specifically requires a data holder to pay the costs of others in the wake of a breach. A good example of such a special law is Minnesota’s HF 1758 (Plastic Card Security Act), which sometimes requires credit card merchants to reimburse the costs of card issuers when they replace cards after a breach at the merchant.

Politician Demands Liability ... and That's Not Necessarily Good or Bad

Now, in a breach at Countrywide Financial Corp (owned by Bank of America), the Connecticut state attorney general seeks liability without the support of a court decision or special legislation. He did not sue in court.

It appears the AG has simply demanded, in public, that Countrywide agree it will compensate anyone hurt by the breach. Countrywide is a large company, vulnerable to public pressure like this. Countrywide has agreed, and the AG is seeking to get that agreement in writing.

A state attorney general is a politician charged with advancing the interests of consumers. Here, Attorney General Richard Blumenthal is doing that not through traditional legal proceedings, but through his bully pulpit.

Background: Countrywide suffered a breach when an employee downloaded records on as many as 2 million Countrywide customers/prospects and offered them for sale to mortgage brokers who wanted them for sales leads. E. Scott Reckard, “Mortgage firm Countrywide, in response to alleged data breach, offers free credit monitoring,” Los Angeles Times, Sept. 10, 2008. Countrywide says it has no evidence that anyone has suffered identity theft from this incident.

Update: The expansion of legal liability for compromises of e-data security will be a deterrent to the adoption of electronic medical records (aka personal health records or PHRs). As the new Obama administration promotes electronic healthcare records, doctor's offices and clinics will have reason to resist. The reasoning of medical offices could go like this: "The Department of Heath and Human Services says that if I implement e-patient records, I must implement reasonable safeguards to protect patient data. The implication is that if I make a mistake, I could be forced to pay money. Why should I expose my business to punishment by innovative privacy advocates like the Connecticut Attorney General? If a hacker invades or breaks into my e-records, an aggressive consumer advocate, like a plaintiff lawyer, might find a novel way to hold me liable. I'm better off with paper. If someone abuses my old-fashioned paper records, there is unlikely to be an audit trail of the incident (i.e., a smoking gun electronic log showing that the wrong person opened the file). Furthermore, the compromise of paper records is less sexy and newsworthy than the hacking of electronic records. Consumer watchdogs like the Connecticut AG are less likely to make a big deal out of a garden-variety story about an unauthorized person looking at paper records in a manila file folder." The federal government has not yet proposed measures for protecting the security of PHRs. Ben Worthen, "New Epidemic Fears: Hackers," Wall Street Journal, Aug. 4, 2009.

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.